JS/Fortnight is a slow mass mailer written in JavaScript which spreads in HTML formatted messages.

VARIANT: Fortnight.A

The infected email message contains a hidden link to a web page. This page contains the actual worm code. When the user opens the message, the link activates using an invisible iframe.

The code on the web page activates by using the Microsoft VM ActiveX vulnerability. This vulnerability has been fixed, and a patch is available from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms00-075.asp

The code uses cookie "TF" as an infection marker. If the cookie is not present, the worm changes browser's startup page via registry to an adult web site.

Next the worm replaces the default Outlook Express 5.0 signature to a file "C:\Program Files\sign.htm". This file contains the hidden iframe that activates the link silently. After this all messages sent by the user with Outlook Express contain the hidden link to the malicious web page.

Then the worm adds three links to the Favorites folder, as follows:

SEXXX. Totaly Teen
Make BIG Money
6544 Search Engines Submission

Finally the worm sets two cookies, "TF" and "RF". The first cookie expires after 14 days and the second one expires after one day.

The web page where JS/Fortnight.A@m was available, is already closed, which means this variant cannot infect any longer.